Microsoft’s Threat Intelligence Center has released a new tool called RIFT to help malware analysts identify malicious code hidden in Rust binaries. While Rust is becoming more popular for its speed and memory safety, those same qualities make malware written in Rust harder to analyze. RIFT is designed to cut through that complexity and make the job easier.
Overview of RIFT Static Analyzer (Source: Microsoft)
Why Rust malware is hard to analyze
To show the challenge, Microsoft ran a test. They wrote a simple downloader in C++ and in Rust. Both did the same work: download data and save it. Then they compared the binaries. The C++ version had under 100 functions and its binary was under 20 KB. The Rust version had nearly 10,000 functions and over 3 MB in size.
“Programs written in Rust are typically statically linked, embedding all dependencies directly into the executable. As a result, binaries are larger with a high volume of functions, requiring analysts to distinguish first between third-party library code and attacker-authored logic,” Microsoft researchers explained.
How RIFT works
RIFT has three parts:
- Static Analyzer: an IDA Pro plugin. It reads the binary to find metadata: Rust compiler version, dependencies, target platform. It logs this into a JSON file.
- Generator: a Python script. It downloads the right compiler and libraries, creates FLIRT signatures, and runs binary diffing. It uses cargo, rustup, Hex-Rays tools, and Diaphora.
- Diff Applier: another IDA Pro plugin. It reads diff results or FLIRT signatures, then applies annotations inside IDA so analysts can easily spot library functions.
“Currently, the plugins are only developed for Ida Pro and tested on Ida Pro >=9.0. RIFT Generator was tested on Windows 10, 64 bit,” the researchers noted.
Pattern matching inside RIFT
RIFT uses two main techniques to help analysts spot library code in Rust binaries: FLIRT signatures and binary diffing. FLIRT signatures are fast and reliable. They match known functions from Rust libraries with high accuracy and rarely produce false positives. However, they only work when the code in the malware is very close to the original library code.
To catch functions that have changed slightly, RIFT also uses binary diffing. This process compares compiled Rust libraries to the malware binary to find similarities. Binary diffing is more flexible than FLIRT signatures but takes much longer to complete, sometimes requiring several hours.
RIFT begins by applying FLIRT signatures. Then it runs binary diffing to find anything that was missed. After both steps, the plugin helps analysts review and label the results directly in IDA Pro, so they can focus on the code that actually matters.
Real-world tests
Microsoft tried RIFT on RALord ransomware. The tool pulled compiler info and dependencies, made FLIRT signatures, and applied them. In IDA, most library code in the main function was correctly identified. That left only the suspect code to inspect.
They also tested a backdoor named SPICA. They used both FLIRT and diffing. In cases where FLIRT missed parts, diffing filled in. That helped make analysis smoother.
RIFT is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
